Description:
The file apps/meteor/app/lib/server/lib/defaultBlockedDomainsList.ts contains corrupted entries in the emailDomainDefaultBlackList array. Two domain names were accidentally joined into one string without a separator, creating entries that will never match any real email domain and silently fail to block disposable email registrations.
Steps to reproduce:
Run this from the apps/meteor directory:
node /tmp/v.js
Expected behavior:
Every entry should be a valid standalone domain name that correctly blocks
registration from disposable email services.
Actual behavior:
Fused entries — two domains merged into one string, will never match anything:
Truncated entry — missing TLD, will never match anything:
Duplicate entries — exact same string appears twice:
Impact:
Because the fused entries are syntactically valid strings, no TypeScript or lint error is thrown. The bug is completely silent. A user can bypass email blocking
by registering with [test@mailmetrash.comilzilla.org](mailto:test@mailmetrash.comilzilla.org) and Rocket.Chat will accept it even though [mailmetrash.com](http://mailmetrash.com/) is explicitly in the blocklist.
Additional context:
The fix is to delete the 3 remaining fused lines (both halves already exist
correctly elsewhere in the list), fix viewcastmediae → [viewcastmedia.eu](http://viewcastmedia.eu/),
and remove one of each duplicate line.
Description:
The file
apps/meteor/app/lib/server/lib/defaultBlockedDomainsList.tscontains corrupted entries in theemailDomainDefaultBlackListarray. Two domain names were accidentally joined into one string without a separator, creating entries that will never match any real email domain and silently fail to block disposable email registrations.Steps to reproduce:
Run this from the
apps/meteordirectory:node /tmp/v.js
Expected behavior:
Every entry should be a valid standalone domain name that correctly blocks
registration from disposable email services.
Actual behavior:
Fused entries — two domains merged into one string, will never match anything:
Truncated entry — missing TLD, will never match anything:
Duplicate entries — exact same string appears twice:
Impact:
Because the fused entries are syntactically valid strings, no TypeScript or lint error is thrown. The bug is completely silent. A user can bypass email blocking
by registering with
[test@mailmetrash.comilzilla.org](mailto:test@mailmetrash.comilzilla.org)and Rocket.Chat will accept it even though[mailmetrash.com](http://mailmetrash.com/)is explicitly in the blocklist.Additional context:
The fix is to delete the 3 remaining fused lines (both halves already exist
correctly elsewhere in the list), fix
viewcastmediae→[viewcastmedia.eu](http://viewcastmedia.eu/),and remove one of each duplicate line.